Single Label Domain (SLD) and Azure AD Connect

The SLD Azure AD case

Some time ago I was at this customer where I needed to setup Azure AD from 2 forests and 7 domains. Essentially this customer wanted to move to Office 365 Exchange Online. When I was making an inventory of these domains I came across a Single Label Domain (SLD). And me at the age of 30 had never heard of this one.

Single label Domain (SLD)

So what is a single label domain. SLD is a name that is used to describe domains which have only a single name, and no suffix. As example, your Active Directory domain might have a name like company.local, but if it were Single Label, it might be just company.

Either way SLD or Single label domains are a pretty grey area when it comes to support when you need Microsoft. So some advice is to avoid them at all times.

Ok lets go back on topic. We have 2 Active Directory Forests One of these forest is Single label and we have 7 domains and one of these 7 domains is a Single label domain. All the rest is just a normal FQDN like company.local.

Now we get back to the part Microsoft that Microsoft does not support this.

Setting up Azure AD

When you start configuring Azure AD you get to a certain point that AzureAD is asks for you domain forest(s) to give in so it can discover the domain underneath. Both Forests will be discovered yes even the Single label One. And Yes it discovers all FQDN domain names underneath. Except the Single label domain that one will not be discovered.

I understand that this was a little confusing so see the table below :).

Forest.local

Discoverd

Forest.

Discoverd

Domain.local1

Yes

Domain.local5

Yes

Domain.local2

Yes

Domain.local6

Yes

Domain.local3

Yes

Domain.

No

Domain.local4

Yes

I tried some different kind of things to get the Domain. Discovered within Azure AD connect. In the end I found out that with creating a Host file gets it the domain discovered in Azure AD connect. So we moved to the next setup screen in Azure AD connect and that is letting Azure AD discover anything what is inside the domain and then I mean the objects itself.

This is never going to work even with the setup of the hosts file it doesn’t work. So this quest came to a end and we needed to figure out something else.

So what we did is we made a decision to create a new Forest with a new domain and move all the users to that domain. For this task we used ADMT. ADMT is a tool from Microsoft that provides a “copy” action to move Active Directory object from and to different type of domains.

Active Directory Migration Tool (ADMT)

Microsoft developed ADMT to speed the migration process and reduce the chance of errors. ADMT performs object migrations and security translations in a way to limit disruptions to let users access network resources while the migration is underway.

Check this URL if you want to start with ADMT.

https://www.microsoft.com/en-us/download/details.aspx?id=19188

Please follow and like us:
error

An easy way to manage your organization with Intune

Next up Intune

Since some time Microsoft has been promoting lots of companies to go with Intune. Most of these companies want to use a solution like Intune but sometime already have a system in place which takes care of their mobile devices. Think about Airwatch or Mobile Iron. Most of the time Intune gets compared with Mobile Iron or Airwatch but what most companies do not know is that Intune is not just about mobile devices. It can do lots more than that.

Where to start with Intune

As mentioned before lots of companies do not know where to start with Intune. One of the most asked question I get at customers is do I start with MDM for mobile devices or do I start with MAM and what is the difference. And how do i make sure i enroll the devices without big impact to my users.

First of all the best thing you can do is start with a simple pilot for Mobile Application Management (MAM). Based on a azureAD group. What MAM does is, it manages the applications you make available within Intune for you mobile devices. If you start with this i recommend to just select all the applications from the Microsoft Office 365 subscription.

You can do this within the App protection policies.

intune apps

As you can see my selection of apps are put in just for Android devices. This comes because i have created two policies. One for Android and One for IOS. The reason for this is that i can manage both type of devices separately. For instance if i want to add apps like Google Maps (Android) or Safari (Apple) you can manage these just for these device types.

*make sure you assign your policies to just a few of you, not for the entire company when testing.

Mobile application management (MAM)

As written above you can implement Mobile application management pretty easy. Just make sure you have the right licenses (EM+S E3 or EM+S E5 or Intune). and you are good to go. But what does Mobile application management actually do.

Basically MAM manages the applications you offer to your users as a service to use. This means that a user which has for example a private device can use Outlook for IOS/Android with corporate email in a safe way. The user just need to install the application from the Google playstore or Itunes. The users will be guided thru the process and will end up with a safe working version of outlook with his corporate email.

With the policies you have created you have set some properties to prevent options like; Copy from email to phone storage, open Urls from email into unmanaged browser, Save attachments to non managed storage.

Mobile Device Management (MDM)

What is mobile device management (MDM), MDM is a way of securing the device a user gets from his company. Most of the time i advise this option when a company has company phones which they give to their employees. In this case the device is owned by the company so there is a possibility that you want to do more with the device then just manage the applications like in MAM. Things you can do more then you can do with MAM  are;

  • Device encryption
  • Push company owned apps
  • Install applications from Itunes or Google playstore
  • Wipe entire device instead of just the managed applications
  • Push certificates and WiFi profiles
  • And lots more

I hope this gives you some insights on MAM and MDM. In my opinion these are the best options to start with when starting with Intune. But you can imagine there are lots more feature you can do with Intune. Think about enrolling Windows 10 devices with autopilot, so you can really give you customers a seamless out-of-the-box-experience (OOBE). Even Co-management is possible these days.  In the following blogs i will guid you thru the implementation of some of these features and possibilities.

If you have some ideas for a blogpost regarding Intune that you needs to be worked out please let me know. And i will try if i can create a tutorial for this.

Also do not forget to check my other blogs @j3rmeyer.nl

 

Please follow and like us:
error

How to disable Office Groups and Teams creation the right way.

Why disable groups/ teams creation

Some companies want to permit access to group and our teams creation. There can be many reasons for this. For instance you want to disable the creation of groups and teams to be more in control over these features.

To do this the right way it is recommended that only certain users are able to create groups and teams. In order to perform this it is rather recommended to create a Universal Security Group (which is mail enabled). This group will be used only for group and team creation.

First steps

As mentioned before it is recommended to create a Universal Security Group (which is mail enabled). When you have Azure AD Connect in place you should create this group on-premise and sync this over to Azure AD. That means that you management will maintain On-premise.

You can also create this group in Azure AD itself. If that is your way to go you should just create a security group in Azure AD. Please understand that your management will be in AzureAD/ Office 365.

The Script

To disable the group/ teams creation you can run the script bellow from the Azure AD PowerShell module

$Settings = Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
If ( !( $Settings)) {
# No Group.Unified object found, create new settings object from template
Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Select-Object -ExpandProperty Values
$Template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq ‘Group.Unified’}
$Template | Select-Object -ExpandProperty Values
$Settings = $Template.CreateDirectorySetting()
}
$Settings[‘EnableGroupCreation’] = ‘false’
$Settings[‘AllowToAddGuests’] = ‘false’
$Settings[‘GroupCreationAllowedGroupId’] = ( Get-AzureADGroup -SearchString ‘Office365GroupTeamsAdmins‘).ObjectId
If ( Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} ) {
Get-AzureADDirectorySetting | Where-Object {$_.DisplayName -eq ‘Group.Unified’} | Set-AzureADDirectorySetting -DirectorySetting $Settings
}
Else {
New-AzureADDirectorySetting -DirectorySetting $Settings
}

And make sure there is a Synced universal mail enabled security group with the name Office365GroupTeamsAdmins. Because  the user must be in the group Office365GroupTeamsAdmins to create groups and teams so all other users are not permitted.
Thanks to Michel de Rooij for this script
Please follow and like us:
error

Cheat sheet with all Ports and rules needed for a Skype 2015 Onpremise environment

Skype For Business Ports

As in my previous post i will share a cheat sheet with you. This time the cheat sheet refers to a Skype For Business Onpremise implementation. To make things easier for myself, I created an overview of all ports and ip adresses that hits firewalls and network of customers.

TThe document is mentions as a cheat sheet this means that you can adjust it and present it to the customers network team.

Overview

There are always some requirements.

  • External IP adresses for remote Subdomains
  • Access to EXternal DNS
  • This Drawing does not contain the Office webapp server

Skype Ports

Please let me know if you are missing some things.

Please follow and like us:
error

Cheat sheet with all Ports and rules needed for a Exchange Hybrid Infrastructure

Exchange Hybrid Ports Cheat Sheet

When working with Exchange I sometimes come to clients who already have a hybrid exchange configured environment. In many cases this is when the hybrid configuration does not work. To make things easier for myself, I created an overview that eliminates the pain of firewalls and networks.

To help you guys out in these situations i share my ports overview document with you, The document is mentions as a cheat sheet this means that you can adjust it and present it to the customers network team.

Overview

There are always some requirements for a Exchange hybrid environment

  • External IP for a seperate Hybrid flow that resolves to hybrid.domain.nl
  • You need to be sure that the hybrid server is part of the mail environment
  • Make sure autodiscover is set the right way
  • The Exchange server which is used for the Hybrid configuration needs to be in the LAN
  • Do NOT forget the Exchange online and Exchange online protection URL’s
  • If you do not have an external IP use the external IP of the autodiscover.
hybrid exchange ports cheat sheet
hybrid exchange ports cheat sheet

 

Click here to read other posts for more Exchange related posts.

 

Please follow and like us:
error

Migrate Exchange Hybrid Server to another other domain

Migrate Exchange Hybrid server

If you just want to manage the users in Exchange Online and you want to keep Exchange Hybrid, it is recommended to keep one hybrid server connected to your Office 365. You have to make sure that you migrate the rest of the mailboxes  to Office 365.

When all users are in Office 365, then Install another Exchange on the other domain an turn it hybrid.

Note: You have to change your configuration of your AD Connect to accomplish that.

In this blog i will explain step by step on how to achieve this

Install Exchange 2016 in user Forest

Install EX2016 in (new) user forest – Set SCP  to null to prevent any Auto discover. You can use the command below to perform this. Changing the SCP record  shouldn’t affect the existing deployment in the other forest. Recommended is to set the SCP to null once the installation of EX2016 was completed, this was more of a precaution than anything else as all the Autodiscover DNS entries already point to exchange online.

Get-ExchangeServer | Where {($_.AdminDisplayVersion -Like “Version 15.0*”) -And ($_.ServerRole -Like “*ClientAccess*”)} | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$null

Configure new Exchange server

Add Office 365 mail routing domain as remote domain in you exchange server. You can do this at the Exchange Admin Center (EAC) of your exchange server. If there already is a connector you can see this in the overview.

To add a mail flow click the + button

Select your Exchange server and follow the instructions. You can also perform this within Powershell (make sure you use the Exchange management Shell).

New-SendConnector -Name J3Rmeyer -AddressSpaces * -CloudServicesMailEnabled $true -Fqdn <CertificateHostNameValue> -RequireTLS $true -DNSRoutingEnabled $false -SmartHosts jerrymeyer.nl-com.mail.protection.outlook.com -TlsAuthLevel CertificateValidation

This command will create a send connector as followed

  • Name   j3rmeyer
  • FQDN   mail.jerrymeyer.nl
  • SmartHosts   jerrymeyer.nl.mail.protection.outlook.com

if you have multiple connectors please take a look at the Technet page where all the details are explained.

*Source: Microsoft technet

Export Exchange Attributes

Export Exchange attributes from resource forest account. If you have read my blog about migrating Azure AD Connect to another domain/ forest you will see that there are a lot of similarities

Link to former blogpost

It is important that you export the Attributes below.

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN
  • Targetaddress

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

*note check you user environment if the MUE and exchange guids are matching. Also check the MasterAccountSID if these are filled. The msExchMasterAccountSid is used to merge the users within the Metaverse of Azure AD Connect. This will result in that only one user will show up in the Office 365 tenant.

Azure AD Connect pt1

When you have exported all the attributes it is time to stop the Azure Ad Connect. You can do this with the commands bellow

To disable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $false

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

5. Remove resource forest account from AAD connect scope so it only syncs from user forest account

Import Exchange Attributes

Import Exchange attributes to user forest account and make sure to run the new-remotemailbox command to match the mailboxes online with the user accounts on-premise.

Enable-RemoteMailbox jerry -RemoteRoutingAddress jerry@j3rmeyer.mail.onmicrosoft.com

The Enable-RemoteMailbox command can be run immediately after creating the user account in Active Directory so there is no need to wait for the next AAD Connect synchronization cycle to complete before enabling the mailbox. Once the user account has been provisioned to AAD, the mailbox will automatically created or match.

Azure AD Connect pt2

When you have imported the Exchange attributes and did the match of the mailboxes it is time to enable the Azure AD connect.

To enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

Change Azure AD configuration

When the Azure ad is doing its work and you have tested the mailboxes it is time to Remove the resource forest. To remove the resource forest account from the Azure AD connect you have to go in the configuration panel of Azure AD connect.

Go to containers and untick the domain

Decommission hybrid from resource forest

In this step we start with a note.

*note: Be sure to establish mail flow in your new environment prior decommission Exchange hybrid. Or queue the mails from on-premises

Bellow you find a list on what to do

  1. Move all legacy Exchange mailboxes to newly deployed Exchange server 2013/2016 in the organization.
  2. Move all content from the public folder database on the Exchange server to a public folder database on an Exchange  server in the organization.
  3. Remove the public folder mailbox and stores on the Exchange server
  4. On Exchange servers, for each offline address book (OAB), move the generation process to an Exchange 2013/2016 server. Ensure 2013/2016 is the one generating/serving OABs for users.
  5. Remove all added DB copies of mailbox DBs so each DB has a single copy in Exchange Server
  6. Remove all nodes from any existing Exchange Server Database Availability Group
  7. Delete the Exchange Server Database Availability Group
  8. Optional: Set the RpcClientAccessServer value of all  DBs to the FQDN of their server
  9. Optional: Remove the CAS Array Object(s)
  10. Check the SMTP logs to see if any outside systems are still sending SMTP traffic to the servers via hard coded names.
  11. Start removing mailbox databases to ensure no arbitration mailboxes still exist on Exchange  servers
  12. Verify that Internet mail flow is configured to route through your Exchange 2013/2016 transport servers
  13. Verify that all inbound protocol services (Microsoft Exchange ActiveSync, Microsoft Office Outlook Web App, Outlook Anywhere, POP3, IMAP4, Auto discover service, and any other Exchange Web service) are configured for Exchange 2013/2016.
  14. Start uninstalling Exchange Server and reboot the server.

*source: blog technet

Configure hybrid in user forest

I think most of you know on how to do this. If not please check out Jaap Wesselius his blog.

 

I think i have captured the most of the migration, If you notice something is missing, incomplete or wrong please notify me.

Please follow and like us:
error

Migrating Azure AD connect to new Active directory domain

Migrate Azure AD connect

When you want to migrate Azure AD Connect to another domain, so things can become pretty complicated. These kind of migrations can also create a lot of issues and unknown errors. The best thing to do before you start such a migration is to prepare this scenario in a testlab.

Disable Azure AD connect

First you need to logon to the Azure AD connect server which you want to migrate. Then perform the 4 steps below.

Install the Azure Active Directory Module for Windows PowerShell. So For more info, go to the following Microsoft website:

Connect to Azure AD by using Windows PowerShell. For more info about how to do this, go to the following Microsoft website:

Disable directory synchronization.  So to do this, type the following cmdlet, and then press Enter:

Set-MsolDirSyncEnabled –EnableDirSync $false

Check that directory synchronization was fully disabled by using the Windows PowerShell. To do this, run the following cmdlet periodically:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

*note This will take up to 72 hours. This change will not cause any service interruption, all users will be able to use their services as normal.

Install the new Azure AD connect

When you have prepared or executed the steps above you can install the Azure AD connect tool on the new server.

The second step is to populate your new AD domain with all user accounts. So it is now important that you copy all information from the old domain, (companyname, jobtitles etc), and for Exchange Online it is especially important that these attributes are copied:

  • userPrincipalName
  • proxyAddresses
  • legacyExchangeDN

When Hybrid you need the above and attributes below

  • msExchRecipientTypeDetails
  • msExchMasterAccountSid
  • msExchRecipientDisplayType
  • msExchRemoteRecipientType

What does the attributes do

  • The UserPrincipalName (UPN) of the users is the login name to Office 365.
  • ProxyAddresses are all your email addresses, both primary and alias.
  • The legacyExchangeDN, is used if you previously have migrated from an Exchange on-premises to Office 365. It is used for internal addressing in Exchange. If it is removed you will not be able to reply to old emails, meeting invitations, and your Suggested Contacts will also fail.
  • msExchRecipientTypeDetails sets the type of mailbox: usermailbox(1), linkedmailbox(2), Sharedmailox(4), legacymailbox(8), room mailbox(16), equipmentmailbox(13)
  • msExchMasterAccountSid This attribute of the target user object holds the objectSID of the source user account. This allows to connect to the own mailbox and shared mailbox.
  • msExchRecipientDisplayType sets the type of account that is used (List of references)
  • msExchRemoteRecipientType

Match Immutable ID

The third step is to make sure the immutable id in Office 365 which uses the ObjectGUID attribute  is translated to an ImmutableID in Azure Active Directory. If you rename your users, the ObjectGUID is untouched. And most of the time you use the ObjectGUID by default as immutableID.

*note if you have used something else please make sure this part is covert.

Currently we are moving to a new Domain so in this case the ObjectGUID will be changed. To manage this we have to clean the attribute in Office365. Office 365 generates these IDs for us,  you can use the Command below.

Set-msolUser -UserprincipalName “jerry.meyer@domain.com” -immutableID “$null”

Enable AzureAD sync and reinstall Azure AD connect

The next step is to enable Azure AD connect in the Office 365 tenant.

Set-MsolDirSyncEnabled –EnableDirSync $true

Check if it is enabled:

(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled

After these steps you reinstall the Azure AD Connect Sync tool on a server in the new domain. I strongly recommend using a new server for this step. Always use a new server for this purpose else it can create bad errors or even break the sync. When this happens you need to create a ticket at Microsoft.

When the installation and full sync is done. The Sync tool will match the users in Office 365 and AD onprem by the primary email address. When there is a match  a new ImmutableID is created and written to Azure AD.

Please follow and like us:
error

Retention Policy and Litigation hold

Most of the times Security is unfamiliar terrain when it comes down to Litigation hold and Retention Policies. In this blog post i will explain when to use Litigation hold and when it is best to use the Retention policy in Office 365.

Litigation Hold

When you search on Technet or Google for litigation hold you will find millions of results. But Actually it is quit simple. Litigation Hold is actually another expression for Legal Hold. When you translate this into Office 365 you will use this function. For instance when a user is leaving the company and you need to preserve the Mailbox for 30 years or even longer.

If you activate or use litigation hold you can already check this from you GDPR Checklist because this is one of the requirement.  Office 365 offers a rich set of in-place eDiscovery capabilities to identify relevant data. in-place Discovery including  for instance, search, hold, analyze and export. These tools will help you quickly to meet the investigative, legal, and regulatory requirements regarding GDPR.

To activate Litigation hold you can simply run the following command from the Exchange online powershell module

Set-Mailbox user@domain.com -LitigationHoldEnabled $true -LitigationHoldDuration Unlimited

*note it can take up to 60 minutes before this function is completely activated.

Retention Policy

Since some time compliance is one of Microsoft’s main focuses in Office 365. You need to know how to use these Office 365 features, so that next time you encounter legal, industry regulations or internal policies, you know what to do.

A retention policy is mainly used to preserve content for a specific period of time or indefinitely. Due to regulatory, legal, or business requirement. You can enable Retention policies on most of the Office 365 services like Onedrive, Exchange and since a short period even Groups and possibly even Teams.

You can configure the retention policies quiet easy using the wizard. You can find this in the Security and Compliance menu of the Office 365 admin Center.

So when do you use Litigation hold and when to use a retention Policy

When use Litigation hold to Legally hold a complete mailbox (it will be stored between the soft deleted mailboxes). You use the Retention Policy when you want to preserve Content of one of the Office 365 services.

And yes the configuration of these compliance settings really depends on the situation of you company or client.

Please follow and like us:
error

Revoke Access from compromised office 365 account

Revoke access

When you have aaccount in your organization that has been hacked or compromised you need to take immediate action to prevent a security dilemma inside of your organization.

For instance when the credentials of a account are compromised. This account can be used for sending out bad emails with malware  and even worse skimming. This will result in a bad Image for your company.

Actions against compromised account

When a account is compromised you need to revoke access to this account. You can perform this with a password reset. What most admin do not know is that this change does not kick in straight away. To speed this process up, the best thing to do is run a “Revoke-AzureADUserAllRefreshToken” on the user’s account. (make sure you are using the connect-azuread module)

Now you are sure that this account has a new password and logging in is impossible.

There is a scenario that the account can still send emails to others. In this case the best thing to do is to create a transport rule. The Transport rule can prevent the user to send out malicious emails.

There is also a way to prevent most of these dangers with the implementation of Azure AD identity protection.

 

 

Please follow and like us:
error

Microsoft Office 365 groups and Office 365 teams Expiry

Yesterday Microsoft has introduced a feature within Office groups to set an expiry date. What does this means.

What does this mean

This means that you can set a 30 days expiration of a group. When the experation date is passed the owner of the group gets a notification to renew the expiration date for another 30 days or even more.

un1

How do i configure this Group Expiry

You can set the expiration of Office groups in Azure Active directory.

Untitled

When you’re not setting a new expiration date the group will be removed and put into soft deleted. If a group is deleted this can be a real pain for the members of this team or group when this was not the intention.

See my post How to restore a group on how to restore a office group.

Please follow and like us:
error